These notes are with respect to FreeNAS 11 and Bind 9.
The first thing you will need is storage for jails. If this is already setup, you can reuse it. To create it, go to Storage and select the location you want to use, then click Create Dataset. You can name it as you wish … though jails is a handy one. All the other options are defaults (sync=inherit/standard, compression=inherit/lz4, share-type=unix, enable-atime=inherit/on, zfs-deduplicatoin=inherit/off, quotas=0/unlimited, reserved-space=0/none, read-only=inherit/off, record-size=inherit).
Next, we have to add the jail. Within Jails, click Add Jail. Again, any name will do … I chose bind. All the other options are defaults though check the IP address and netmask are what you wish to use (type=standard, ipv4-dhcp unchecked, IP aliases=
To install Bind, we want to get to a shell on the FreeNAS system (ssh works too).
# determine jail ID for the newly created jail
$ jls
# shell into the jail
$ jexec
# install dependencies
$ pkg install texinfo libedit
# install bind (for this, just took defaults when prompted)
# if you do not have /usr/ports, run portsnap fetch && portsnap extract
$ cd /usr/ports/dns/bind911
$ make install clean
To configure BIND, we edit /usr/local/etc/namedb/named.conf.
It is a good idea to create an acl for the internal network:
acl goodclients {
192.168.0.0/16;
localhost;
localnets;
};
Within “options {“, there are a couple things to configure:
recursion yes;
allow-query { goodclients; };
allow-recursion { goodclients; };
allow-transfer { none; };
listen-on { 192.168.88.81; };
listen-on-v6 { none; };
Note: The listen configurations are which address(es) BIND listens on (this matches the jail’s IP config).
Now, we can validate the config and start the service:
$ named-checkconf
$ service named start
$ service named status
To have this run on startup in our jail, edit /etc/rc.conf (in the jail):
named_enable="YES" named_program="/usr/local/sbin/named"
By default, resolvconf will try to update /etc/resolv.conf inside the jail which may not be what you want. You can configure a static config. Edit /etc/resolv.conf:
# resolvconf is disabled, see /etc/resolvconf.conf nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 8.8.8.8 nameserver 8.8.4.4
Edit /etc/resolvconf.conf:
# disable resolvconf from running any subscribers: resolvconf="NO"
That should do it. You can restart your jail and ensure /etc/resolv.conf matches expectations.
The listen-on config setup within named.conf is what you will want to configure the clients on your network to use. For example, this internal network has two BIND DNS servers (running on different FreeNAS machines), and so the DHCP configuration for this network sends down two DNS servers: 192.168.88.81 and 192.168.88.90. Specifying two enables the clients to be resilient to failure of any single BIND instance.
After setting this up, I ran DNS Benchmark. This tool is great for testing DNS configuration (from DHCP settings to DNS server performance, of your local servers as well as public ones). The conclusions it showed after running its benchmark proved the local network had optimal DNS configuration.